Cybersecurity is increasingly becoming a topic for legislators, especially for the public sector, critical infrastructure, healthcare, education, the financial and the insurance sectors.
In the US, in addition to several federal laws (HIPAA, HITECH, GLBA, SOX, FISMA, CISA), there are many state-level laws that impose some level of cybersecurity requirement (we have excluded the ones regarding election security in particular, as that’s a separate topic of discussion)
We have reviewed the US states legislation from recent years and compiled a list of successful cybersecurity legislation initiatives. They typically stipulate that a certain sector should build a cybersecurity strategy and implement basic cybersecurity norms. The legislation is technologically neutral (and rightly so), but in most of these cases typical cybersecurity tools like SIEM, Firewall, Antivirus and DLP are considered necessary to cover the requirements.
Below is a list of federal and state cybersecurity laws.
| Regulation | Affected sectors | State | More information |
|---|---|---|---|
| HIPAA | Healthcare | Federal | The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html |
| HITECH | Healthcare | Federal | The HITECH Act encouraged healthcare providers to adopt electronic health records and improved privacy and security protections for healthcare data. This was achieved through financial incentives for adopting EHRs and increased penalties for violations of the HIPAA Privacy and Security Rules. |
| CISA | Any | Federal | CISA is designed to “improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats and for other purposes”. https://whatis.techtarget.com/definition/Cybersecurity-Information-Sharing-Act-CISA https://www.lexology.com/library/detail.aspx?g=31bc698a-ec4d-4b9b-a8a9-46d893777a10 |
| FISMA | Federal agencies | Federal | The Federal Information Security Management Act (FISMA) was enacted to set security requirements for federal agencies’ information systems. FISMA’s goal is to ensure data and the systems that use the data have confidentiality, integrity, and high availability. https://www.sdxcentral.com/security/definitions/what-is-fisma-an-overview-of-the-law/ |
| GLBA | Financial | Federal | The Gramm-Leach-Bliley Act (GLBA) requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data. |
| SOX | Any | Federal | Sarbanes-Oxley Act (SOX) protects shareholders and the general public from accounting errors and fraudulent practices in enterprises and improves the accuracy of corporate disclosures. The act sets deadlines for compliance and publishes rules on requirements. |
| SEC Regulation SCI | Financial | Federal | The SEC designed Regulation SCI in response to securities markets being increasingly dependent on technology and automated systems. Under the rule, SCI entities must design, implement, test and maintain IT policies and procedures for their systems’ capacity, integrity, resiliency, availability and security. |
| AL S 54 | Insurance | Alabama | Relates to insurance; requires insurers and other entities licensed by the Department of Insurance to develop, implement, and maintain an information security program; provides for reporting to the Commissioner of Insurance, including the reporting of cybersecurity events; provides that information provided to the commissioner pursuant to this act would be confidential and privileged under certain conditions; provides for civil penalties under certain conditions. |
| AZ H 2177 | Financial | Arizona | Revises provisions relating to the Regulatory Sandbox Program, revises certain definitions, relates to temporary testing of innovation without otherwise being licensed, revises provisions relating to the application process and requirements, provides for financial products and services, requires the employment of cybersecurity measures to avoid breaches. |
| CA SB1386 | Any | California | SB 1386 went into effect on July 1, 2003. Under the law, covered parties must disclose any breach of the security of personal data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. |
| DE H 174 | Insurance | Delaware | Enacts the Insurance Data Security Act. Establishes standards for data security for Title 18 licensees and standards for the investigation of and notification to the Commissioner of a cybersecurity event affecting Title 18 licensees. https://news.delaware.gov/2019/08/01/insurance-data-security-act-signed-into-law/ |
| DE S 153 | State agencies | Delaware | Relates to information technology recommendations of the Government Efficiency and Accountability Review Board, establishes a statewide shared technology services model to facilitate digital government for citizens, increase efficiency, and control security risks.
|
| IL H 5547 | State agencies | Illinois | Amends the State Auditing Act provides that on a biennial basis, the Auditor General shall conduct a performance audit of state agencies and their cybersecurity programs and practices, with a particular focus on agencies holding large volumes of personal information, provides for the subjects to be assessed by the audit, provides for the issuance of an audit report. http://www.senchapinrose.com/News/1377/New-laws-going-into-effect-Jan-1/news-detail/ |
| IN S 362 | Utilities | Illinois | Relates to the regulation of new water and wastewater systems, provides that a water or wastewater utility that begins providing service to the public, after a specified date, is subject to the jurisdiction of the State Utility Regulatory Commission, provides for rates and charges, and other matters, for a specified period, beginning on the day on which the water or wastewater utility begins providing service to the public. |
| IN S 4 | Utilities | Indiana | Provides that a permit for the discharge from a wastewater treatment plant may not be issued unless the application contains a cybersecurity plan. Excludes the cybersecurity plan from public access. |
| IN H 1372 | Insurance | Indiana | Adopts the insurance data security model law, which requires certain holders of an insurance license, authority, or registration to maintain an information security program and meet other requirements. Establishes an affirmative defence to a tort civil action for a licensee that satisfies the requirements of the insurance data security model law. |
| LA S 46 | Any | Louisiana | Authorizes entities to monitor, share, and receive certain information relative to cyber threats, authorizes certain defensive measures, relates to certain security and information controls, provides for confidentiality of certain information. |
| LA H 614 | Insurance | Louisiana | Provides relative to data security for persons regulated by the commissioner of insurance. |
| LA S 140 | State agencies | Louisiana | Requires certain offices to report cyber incidents to the secretary of state. |
| MA 201CMR17.00 | Any | Massachusetts | Standards for the protection of personal information of residents of the Commonwealth |
| MI H 6491 | Insurance | Michigan | Enacts the Insurance Data Security Model law; establishes the exclusive standards, for this state, applicable to licensees for data security, the investigation of a cybersecurity event, and notification to the director. |
| MS S 2831 | Insurance | Mississippi | Establishes the Insurance Data Security Law, provides the purpose and intent of the Act, defines certain terms used in the Act, requires insurance licensees in this state to develop, implement and maintain an information security program, requires certain investigation of a cybersecurity event, requires certain notification of a cybersecurity event, provides for certain confidentiality, provides exceptions to the Act, provides for penalties for violations of the Act. |
| MO H 2120 | Utilities | Missouri | Establishes provisions relating to water safety and security. Provides that each community water system shall create a plan that establishes policies and procedures for identifying and mitigating cyber risk. The plan shall include risk assessments and the implementation of appropriate controls to mitigate identified cyber risks. |
| ND S 2110 | State agencies, Education | Nevada | Expands the powers and duties of the Information Technology Department to oversee cybersecurity strategy for all executive branch state agencies, including institutions under the control of the State Board of Higher Education, counties, cities, school districts, or other political subdivisions. |
| NH S 194 | Insurance | New Hampshire | Establishes the Insurance Data Security Law, updates and establishes standards for the protection of consumers’ non-public information, requirements for investigation of a breach and notification to the Commissioner and consumers in the event of cybersecurity breaches relating to consumers’ nonpublic information. |
| 23 NYCRR 500 | Financial | New York | А regulation establishing cybersecurity requirements for financial services companies. |
| SHIELD | Any | New York | The SHIELD Act’s obligations apply to “аny person or business which owns or licenses computerized data which includes private information” of a resident of New York. Previously, the obligation to provide notification of a data breach under New York’s breach notification law applied only to persons or businesses that conducted business in New York. https://www.natlawreview.com/article/new-york-shield-act-faqs |
| SC H 4655 | Insurance | North Carolina | Enacts the State Insurance Data Security Act; requires a licensee to develop, implement and maintain a comprehensive information security program based on the licensee’s risk assessment and to establish certain requirements for the security program; provides minimum requirements for a licensee’s Board of Directors, if applicable; requires a licensee to monitor the security program and make adjustments if necessary; provides that the licensee must establish an incident response plan; relates to reports. |
| SC H 4950 | State agencies | North Carolina | Makes appropriations. Requires all state agencies to adopt and implement cybersecurity policies, guidelines and standards developed by the Department of Administration. The department may conduct audits on state agencies except for public institutions of higher learning, technical colleges, political subdivisions, and quasi-governmental bodies as necessary to monitor compliance with established cybersecurity policies, guidelines and standards. |
| OH S 273 | Insurance | Ohio | Clarifies the definition of an insurance rating agency; requires each licensee to develop, implement, and maintain a comprehensive written information security program based on the licensee’s risk assessment; relates to a domestic surplus lines insurer. |
| OK S 584 | State agencies | Oklahoma | Relates to public finance, relates to security risk assessments, establishes requirements for information security audit conducted by the certain firm under certain basis, requires Information Services Division to assist in repairing vulnerabilities, provides an exception for certain agencies subject to certain mandatory cybersecurity standards, requires submission of information security audit findings, modifies requirement for submission of findings within a certain time. |
| TX S 820 | Education | Texas | Requires a school district to develop and maintain a cybersecurity framework. |
| TX S 936 | Utilities | Texas | Revises provisions relating to the Cybersecurity Monitor Program for electric utilities, requires the Public Utilities Commission to contract with an entity to act as the Commission’s Cybersecurity Monitor, authorizes an electric utility, municipally owned utility, or electric cooperative to participate or discontinue participation in the Cybersecurity Monitor Program.
|
| 85R HB8 (Cybersecurity act) | State agencies, Education | Texas | The bill sets mandatory practices for state agencies, institutes continuous monitoring and auditing of network systems adds protections for student data privacy and updates the penalties for cybercrime. https://securityboulevard.com/2020/07/the-texas-cybersecurity-act-what-you-need-to-know/ http://www.txblc.org/wp-content/uploads/HB8-The-Texas-Cybersecurity-Act_4.20.17.pdf |
| TAC 202 | State agencies, Education | Texas | https://dir.texas.gov/View-About-DIR/Information-Security/Pages/Content.aspx?id=2 |
| UT H 41 | Utilities | Utah | Addresses water policies of the state outlines the water policies of the state, encourages state agencies to follow the state policy, addresses suits referencing the state policy, requires an annual review of the policy. |
| VA H 852 | State agencies | Virginia | Relates to the Information Technologies Agency, requires the chief information officer of the Information Technologies Agency to develop and annually update a curriculum and materials for training all state employees in information security awareness and in proper procedures for detecting, assessing, reporting, and addressing information security threats. |
| VA H 1334 | Insurance | Virginia | Establishes standards for insurance data security, for the investigation of a cybersecurity event, and for the notification to the commissioner of Insurance and affected consumers of a cybersecurity event, requires insurers to develop, implement, and maintain a comprehensive written information security program based on an assessment of its risk that contains administrative, technical, and physical safeguards. |
| WV H 2452 | State agencies | West Virginia | Creates the West Virginia cybersecurity office, relates to the cybersecurity of state government, removes the requirements of the Chief Technology Officer to oversee the security of government information, creates the Cybersecurity Office, provides that the Chief Information Security Officer oversee the Cybersecurity Office, authorizes the Chief Information Security Officer to create a cybersecurity framework, to assist and provide guidance to agencies in cyber risk strategy. |
How Can LogSentinel Help You Ensure US Law’s Cybersecurity Compliance?
LogSentinel SIEM lets you monitor your systems for security events, alert you in case of potential breaches and provide you with compliance reports. More importantly, it helps you be more secure and therefore follow the spirit of those laws, not just their letter.
With Logsentinel SIEM, you will make the audits, required by the US laws, such as HIPAA, HITECH, GLBA, SOX, FISMA, CISA, much easier. LogSentinel SIEM provides flexible compliance reports, allowing you to tailor them in accordance with what’s required from the specific regulation. Furthermore, LogSentinel SIEM allows read-only access for auditors and can be integrated with third parties, so you can share the reports as required, without having to worry about sharing too much data.
Advanced Threat Detection Capabilities
The key functionality of a SIEM is detecting malicious behaviour in a large volume of data. We leverage rule-based and machine learning-based anomaly detection on multiple data sources to detect threats, which can be shared securely as required in CISA, LA S 46, VA H 852.
Thanks to that advanced threat detection functionality, you will be able to easily detect anomalies and threats against your infrastructure. By using advanced AI technology, you will be able to analyze user behaviour and risk profile to prevent insider threats, based on data accumulated from all integrated systems.
Your security team will get alerts every time when a security incident needs an immediate response. Alerts can be sent via email, SMS, or trigger other activities, as outlined in the next section. Thanks to all that, you will gain a complete overview of your systems, and you will be able to detect and respond to threats in real-time.
Confidentiality, Availability and Integrity
Confidentiality, availability and integrity is the CIA triad which is reviewed in detail in cybersecurity laws such as FISMA, AL S 54, LA S 46, MS S 2831 and others.
LogSentinel SIEM provides complete data confidentiality, integrity, and authenticity for all information stored within the solution, leveraging a permissioned blockchain technology. The chain is subject to complete verification every 12 hours, or at other configurable intervals. Internal verification mechanisms also exist, as follows:
• Pushing hashes, representing the complete state of all data to external stakeholders via e-mails or text message.
• Pushing hashes, representing the complete state of all data to a public blockchain (e.g. Bitcoin, Ethereum or any other).
• Pushing hashes, representing the complete state of all data to a publicly verifiable source such as Twitter.
LogSentinel SIEM ensures that it is technically impossible to breach data integrity, confidentiality and authenticity without detection.
To ensure integrity, LogSentinel can be set up in accordance with the specific business case and can collect all modifications to data. Then periodic comparisons can be performed by utilizing our APIs to make sure that the data in the database is indeed what it is expected to be, and neither accidental nor malicious modifications were performed. Not only that, but you’ll be able to prove to 3rd parties, e.g. auditors, that the integrity of your data is sound. And that’s cryptographically guaranteed, so you don’t have to take our word for it, you can check the hashes and proofs yourself.
Predictable and Affordable Pricing
- Every SIEM feature included – log collection, threat detection, incident response, behaviour analytics – to fully cover any US cybersecurity regulatory requirements
- Unlimited log storage for your compliance needs
- Discounted prices for a large number of users
Bozhidar Bozhanov is co-founder and the CEO at LogSentinel. He is a senior software engineer and solution architect with 15 years of experience in the software industry. Bozhidar has been a speaker at numerous conferences and is among the popular bloggers and influencers in the technical field. He’s also a former government advisor on e-government, transparency and information security.
